Red Hat Product Errata RHSA-2021:0037 - Security Advisory

Issued:: 2021-01-18
Updated:: 2021-01-18

RHSA-2021:0037 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: OpenShift Container Platform 4.6.12 bug fix and security update

Type/Severity

Security Advisory: Moderate

Topic

Red Hat OpenShift Container Platform release 4.6.12 is now available with
updates to packages and images that fix several bugs.

This release includes a security update for Red Hat OpenShift Container Platform 4.6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container
Platform 4.6.12. See the following advisory for the RPM packages for this
release:

https://access.redhat.com/errata/RHSA-2021:0038

Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html

Security Fix(es):

kubernetes: Ceph RBD adminSecrets exposed in logs when loglevel >= 4 (CVE-2020-8566)
golang: math/big: panic during recursive division of very large numbers (CVE-2020-28362)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

You may download the oc tool and use it to inspect release image metadata as follows:

(For x86_64 architecture)

$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.6.12-x86_64

The image digest is sha256:5c3618ab914eb66267b7c552a9b51c3018c3a8f8acf08ce1ff7ae4bfdd3a82bd

(For s390x architecture)

$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.6.12-s390x

The image digest is sha256:9e78700d5b1b8618d67d39f12a2c163f08e537eb4cea89cd28d1aa3f4ea356bb

(For ppc64le architecture)

$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.6.12-ppc64le

The image digest is sha256:290cd8207d81123ba05c2f4f6f29c99c4001e1afbbfdee94c327ceb81ab75924

All OpenShift Container Platform 4.6 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor.

Solution

For OpenShift Container Platform 4.6 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html.

Affected Products

Red Hat OpenShift Container Platform 4.6 for RHEL 8 x86_64
Red Hat OpenShift Container Platform for Power 4.6 for RHEL 8 ppc64le
Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.6 for RHEL 8 s390x

Fixes

BZ - 1810470 - [Flake] volume expansion tests occasionally flake with EBS CSI driver
BZ - 1811341 - Subpath test pod did not start within 5 minutes
BZ - 1814282 - Storage e2es leaving namespaces/pods around
BZ - 1836931 - `oc explain localvolume` returns empty description
BZ - 1842747 - Not READYTOUSE volumesnapshot instance can not be deleted
BZ - 1843008 - Fix reconcilliation of manifests for 4.6 channel for LSO
BZ - 1850161 - [4.6] the skipVersion should exactly match regex in art.yaml
BZ - 1852619 - must-gather creates empty files occasionally
BZ - 1866843 - upgrade got stuck because of FailedAttachVolume
BZ - 1867704 - cluster-storage-operator needs to grant pod list/watch permissions to aws operator
BZ - 1867757 - Rebase node-registrar sidebar with latest version
BZ - 1871439 - Bump node registrar golang version
BZ - 1871955 - Allow snapshot operator to run on masters
BZ - 1872000 - Allow ovirt controller to run on master nodes
BZ - 1872244 - [aws-ebs-csi-driver] build fails
BZ - 1872290 - storage operator does not install on ovirt
BZ - 1872500 - Update resizer sidecar in CSI operators to use timeout parameter than csiTimeout
BZ - 1873168 - add timeout parameter to resizer for aws
BZ - 1877084 - tune resizer to have higher timeout than 2mins
BZ - 1879221 - [Assisted-4.6][Staging] assisted-service API does not prevent a request with another user's credentials from setting cluster installation progress
BZ - 1881625 - replace goautoreneg library in LSO
BZ - 1886640 - CVE-2020-8566 kubernetes: Ceph RBD adminSecrets exposed in logs when loglevel >= 4
BZ - 1888909 - Placeholder bug for OCP 4.6.0 rpm release
BZ - 1889416 - Installer complains about not enough vcpu for the baremetal flavor where generic bm flavor is being used
BZ - 1889936 - Backport timecache LRU fix
BZ - 1894244 - [Backport 4.6] IO archive contains more records of than is the limit
BZ - 1894678 - Installer panics on invalid flavor
BZ - 1894878 - Helm chart fails to install using developer console because of TLS certificate error
BZ - 1895325 - [OSP] External mode cluster creation disabled for Openstack and oVirt platform
BZ - 1895426 - unable to edit an application with a custom builder image
BZ - 1895434 - unable to edit custom template application
BZ - 1897337 - Mounts failing with error "Failed to start transient scope unit: Argument list too long"
BZ - 1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers
BZ - 1898178 - [OVN] EgressIP does not guard against node IP assignment
BZ - 1899266 - [4.6z] Baremetal IPI with IPv6 control plane: nodes respond with duplicate packets to ICMP6 echo requests
BZ - 1899622 - [4.6z] configure-ovs.sh doesn't configure bonding options
BZ - 1900736 - [SR-IOV] Backport request to SR-IOV operator version 4.6 - SriovNetworkNodePolicies apply ignoring the spec.nodeSelector.
BZ - 1900792 - Track all resource counts via telemetry
BZ - 1901736 - additionalSecurityGroupIDs not working for master nodes
BZ - 1903353 - Etcd container leaves grep and lsof zombie processes
BZ - 1905947 - [Internal Mode] Object gateway (RGW) in unknown state after OCP upgrade.
BZ - 1906428 - [release-4.6]: When using webhooks in OCP 4.5 fails to rollout latest deploymentconfig
BZ - 1906723 - File /etc/NetworkManager/system-connections/default_connection.nmconnection is incompatible with SR-IOV operator
BZ - 1906836 - [sig-arch][Early] Managed cluster should start all core operators: monitoring: container has runAsNonRoot and image has non-numeric user (nobody)
BZ - 1907203 - clusterresourceoverride-operator has version: 1.0.0 every build
BZ - 1908472 - High Podready Latency due to timed out waiting for annotations
BZ - 1908749 - [GSS] Unable to deploy OCS 4.5.2 on OCP 4.6.1, cannot `Create OCS Cluster Service`
BZ - 1908803 - [OVN] Network Policy fails to work when project label gets overwritten
BZ - 1908847 - [4.6.z] RHCOS 4.6 - Missing Initiatorname
BZ - 1909062 - ARO/Azure: excessive pod memory allocation causes node lockup
BZ - 1909248 - Intermittent packet drop from pod to pod
BZ - 1909682 - When scaling down the status of the node is stuck on deleting
BZ - 1909990 - oVirt provider uses depricated cluster-api project
BZ - 1910066 - OpenShift YAML editor jumps to top every few seconds
BZ - 1910104 - [oVirt] Node is not removed when VM has been removed from oVirt engine
BZ - 1911790 - [Assisted-4.6] [Staging] reduce disk speed requirement for test/dev environments
BZ - 1913103 - Placeholder bug for OCP 4.6.0 rpm release
BZ - 1913105 - Placeholder bug for OCP 4.6.0 metadata release
BZ - 1913263 - [4.6] Unable to schedule a pod due to Insufficient ephemeral-storage
BZ - 1913329 - [Assisted-4.6] [Staging] Installation fails to start
BZ - 1914988 - [4.6.z] real-time kernel in RHCOS is not synchronized
BZ - 1915007 - Fixed by revert -- Upgrade to OCP 4.6.9 results in cluster-wide DNS and connectivity issues due to bad NetworkPolicy flows

CVEs

References

https://access.redhat.com/security/updates/classification/#moderate

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenShift Container Platform 4.6 for RHEL 8

SRPM
x86_64

Red Hat OpenShift Container Platform for Power 4.6 for RHEL 8

SRPM
ppc64le

Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.6 for RHEL 8

SRPM
s390x

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation